What is Pete Brown Siemens I CS PROFIsafe and work? · PDF file3 Peter Brown / What is PROFIsafe? Profibus DP Standard-Host/PLC F-Gate- way otherTCP/IP Safety- Bus Repeater Standard-I/O

What is

PROFIsafe and

how does it

work?

Pete Brown

Siemens I CS

2

Peter Brown / What is PROFIsafe?

“The condition of being safe; freedom from danger, risk, or

injury.”

In the UK (and Europe) this can cover many areas and industries, for example:

Supply of Machinery (Safety) Regulations

Electromagnetic Compatibility Regulations

Electrical Equipment (Safety) Regulations

Pressure Equipment Regulations

Simple Pressure Vessels (Safety) Regulations

Equipment and Protective Systems Intended for Use in Potentially

Explosive Atmospheres Regulations

Lifts Regulations

Medical Devices Regulations

Gas Appliances (Safety) Regulations

Important: It is essential to have some form of risk

assessment / risk analysis

e.g. HAZAN / HAZID / HAZOP / RA to ISO 12100

What do we mean by “Safety”

3


Profibus DP

Standard-Host/PLC

F-Gate- way

other

Safety-

Bus

Repeater

Standard-I/O

Master-Slave

Assignment

F-Field-

Device

DP/PA

Coexistence of standard and failsafe communication

F-Host/FPLC

Standard-I/O

F-I/O

Engineering Tool

PG/ES with secure access e.g. Firewall

TCP/IP

F = Failsafe

F-Sensor F-Actuator

PROFIsafe – The Vision

4


F-Host / FPLC

Laserscanner Standard-I/O F-I/O Drive with integrated

Safety

1:1 Communication relationship

between master and slave 1

2

Bus cycle

Cyclic Communication

5


"Black Channel": ASICs, Links, Cables, etc. Not safety relevant

"PROFIsafe": Safety critical communications systems: Addressing, Watch Dog Timers, Sequencing, Signature, etc.

Safety relevant, Not part of the PROFIsafe: Safety I/O / Safety Control Systems

Non safety critical functions, e.g. diagnostics

Standard-

I /O Standard Control

1

2

7

1

2

7

1

2

7

1

2

7

1

2

7

Safety Input

Safety Control

Safety Output

Safety-Layer Safety-Layer Safety-Layer

e.g.. Diagnostics

PROFIsafe – ISO/OSI Model

6


PROFIsafe – Add-on Strategy

Standard engineering

tool STEP 7

Standard CPU

Standard PROFIBUS DP

Standard Remote I/O

Failsafe engineering Tool

Distributed Safety

Failsafe I/O Modules

PROFIsafe

Failsafe Application Program F-Hardware

7


Coexistence of standard program and safety-related program on one CPU

Changes to the standard program have no effect on the integrity of the safety-related program section

Standard program

Safety program

Standard program

Back-up

PROFIsafe - Program

8


Time redundancy and diversity replace

complete redundancy

Time redundancy Time

Diverse Operation

Operation

Coding Comparison

Diverse Operators

Operators

Diverse Output

Output

Stop by D ≠ /C

D = /C

C A, B

/A, /B

OR

AND

PROFIsafe – Coded Processing

Coded Processing

9


“B

lac

k c

ha

nn

el"

PROFIsafe

layer PROFIsafe

layer

Standard

data

Fail-safe

data

Standard

bus

protocol

Standard

data

Fail-safe

data

Standard

bus

protocol

PROFIBUS

PROFINET

PROFIsafe - Introduction

Safety-oriented communication via PROFIsafe First standard of communication in accordance with safety

standard IEC 61508

PROFIsafe supports safe communication for the

open standard PROFIBUS and PROFINET

The PROFIsafe meets possible faults like address

error, delay, data loss with Serial numeration of PROFIsafe-telegram Time monitoring Authenticity monitoring via unique addresses Optimized CRC-checking

PROFIsafe supports standard- and failsafe Communication by one medium

10


Failure type:

Remedy: Consecutive Number

Time Out with Receipt

Codename for Sender and

Receiver

Data Consistency

Check

Repetition

Deletion

Insertion

Resequencing

Data Corruption

Delay

Masquerade (standard message mimics failsafe)

Revolving memory failure within switches

Overview: Possible Errors and detection mechanism


11


S S S S

Standard PROFINET IO messages

F Input/Output Data Status /

Control Byte CRC2

across F I/O data, Status or

Control Byte, F-Parameter,

and Vconsnr_h

Max. 12 / 123 Bytes 1 Byte 3/4 Bytes *) *) 3 Bytes for a max. of 12 Byte F I/O data 4 Byte for a max. of 123 Bytes F I/O data

PROFIsafe container =

Safety PDU

PROFIsafe safety PDU

12


CRC1

.

3 Bytes

(F-Device) Consecutive

Number (not trans-

mitted) 0,1...0FFFFFFh

F Input data Status Byte CRC2

across F Input data, Status Byte, F-Parameter,

and Vconsnr_d

Max. 12 / 123 Bytes 1 Byte 3 / 4 Bytes

Vconsnr_d

3 Bytes

Change Toggle_d

01or 10

when incre-

mented

include Vconsnr_d

within CRC2 calculation

(see calculation details)

Reset R_cons_nr

(Bit 2 of the

Control Byte)

1

Increment Toggle_h

(Bit 5 of the

Control Byte)

Extended Consecutive Number (24 Bit)

24/32 Bit CRC

Signature

24 Bit consecutive number

Synchronization via "Toggle Bit"

Virtual consecutive numbering = patented

Example:

13


Which protocol must be supported ?

IO-

C

F

D

O

Actuator

PROFINET

-IO

Device

F

D

I

F

D

O

Sensor

PROFIBUS.

PROFIBUS Device Modular Device

Local bus

F-

Host

PROFINET-

PROFIBUS

Link

Encapsulation

Encapsulation

Encapsulation

F-DI Fail-safe digital input

F-DO Fail-safe digital output

IO-C PROFINET IO-Controller

PROFINET SWITCH


14


Which protocol version applies when ?

PROFIsafe V2

Slave used in

Protocol with

8Bit-Counter

(= PROFIsafe

V1 mode)

Protocol with

24Bit-Counter

(= PROFIsafe

V2 mode)

PROFIBUS

network only mandatory mandatory

PROFINET

network only - mandatory

PROFIBUS /

PROFINET

network

mandatory mandatory

Goal: 100% compatability

A PROFIsafe slave which supports the v2 mode must be able to replace an older

version of this PROFIsafe slave which only supports the v1 mode without the

need of any adaption


15


DP Master

PROFINET – PROFIsafe V2

PROFIBUS – PROFIsafe V1 or V2

DP Slave V2

I/O-Device V2

DP Slave V1

DP Slave V1

Proxy

Only

DP Slave V2

V1 = PROFIsafe Profil V1

V2 = PROFIsafe Profil V2

Which protocol version applies when ?


Handling

Functional

Safety

Modern

Requirements and

Best Practice

‘Drivers’ for Safety

Legislation: “I need to do something.…..but what?”

Fear: “What are my responsibilities and am I doing enough…. Or too much?”

Compliance: “Can I prove I have done as much as is reasonably practicable”

Operational Efficiency: “Can I produce products safely with maximum efficiency?”

Cost: “Am I getting the best return on my investment” (FFI)

Support: “I want advice based on solutions not products”

17

Peter Brown / Handling Functional Safety

What is Functional Safety?

Functional safety is part of the overall safety that depends

on a system or equipment operating correctly in response

to its inputs. Functional safety is achieved when every

specified safety function is carried out and the level of

performance required of each safety function is met.

Functional safety relies on active systems.

Safety achieved by measures that rely on passive

systems is not functional safety.

18


Reactor

Basic Process Control

System (BPCS)

Inputs Outputs

Safety Instrumented

System (SIS)

Inputs Outputs

Systematic Failures

Definition of a systematic failure:

failure related in a deterministic way to a certain

cause, which can only be eliminated by a

modification of the design or of the manufacturing

process, operational procedures,

documentation or other relevant factors

Examples of systematic failures include human error in:

The safety requirement specification;

The design, manufacture, installation or operation of the

hardware;

The design and / or implementation of the software.

19


‘Best Practice’ 20


IEC 61508

IEC 62061 ISO 13849

EN 954 ( until 2011 )

IEC 61511

Process

Industry Manufacturing Industry

Fo

cu

s

Pro

du

ct

Ma

nu

fac

ture

Fo

cu

s

Inte

gra

tio

n

Relevant good

practice

Harmonized

standards

Basic Lifecycle Concept 21


Functional Safety

Control of dangerous

failures during

operation through

Robust Design

Control and avoidance

of systematic failures

through Robust

Processes

Safety Lifecycle Requirement

Engineering / Design

System Architecture

Failure Probability

Planning / Processes

Safety Management

Verification / Responsibilities

Verification and Validation

Verification (in general) =

“Are you making it right?"

Verification is the process used to evaluate whether or not

a system complies with regulations / specifications /

conditions imposed at the start of a phase.

Validation (in general) =

"Are you making the right thing?“

Validation is the process of establishing evidence (including

functional testing) that provides a high degree of assurance

that a system accomplishes its intended requirements (Fit

for purpose).

22


Simplified Safety Lifecycle 23


Hazard and Risk Assessment

Design and Engineering

Installation, Validation and Start-up

Operation and Maintenance

Modernisation and Upgrade

Veri

ficati

on

Security for

Industrial

Automation

Considering the

PROFINET Security

Guideline

Author / Title of the presentation

Industrial IT Security

25

Peter Brown / IT Security for Industrial Automation

DCS/

SCADA*

*DCS: Distributed Control System

SCADA: Supervisory Control and Data Acquisition

Potential

Attack

Plant Security

Physical Security • Physical access to facilities and equipment

Policies & Procedures • Security management processes • Operational Guidelines • Business Continuity Management & Disaster Recovery

Network Security

Security Zones & DMZ • Secure architecture based on network segmentation

Firewalls and VPN • Implementation of Firewalls as the only access point to a security cell

System Integrity

System Hardening • Adapting system to be secure by default User Account Management • Access control based on user rights and privileges

Patch Management • Regular implementation of patches and updates

Malware Detection and Prevention • Anti Virus and Whitelisting

What is IT Security? (Cyber/Network)

Protection of computers and

networks from intrusion and

disruption

With so many systems relying

on networks this is critical

The internet allows global

connectivity and all its

advantages

These advantaged lead to

vulnerability

26


Security

Why do I need IT Security?

Intrusion can be malicious or accidental

Governments are concerned by terrorist acts

Business is concerned by industrial espionage and theft

Ex employees may have a grudge

Current employees can be careless

Computer viruses can attack PLCs

Network intrusions are on the increase – The damage

can be catastrophic

27


How do I implement IT Security?

CPNI recommendations

Risk analysis and policies

Industrial grade equipment

PROFINET / PROFINET Security Guideline

(ICS CERT recommendations)

Industrial Security Homepage:

http://www.industry.siemens.com/topics/global/en/industrial-security

28





PROFINET Security Concept

The PROFINET Security Concept From the PROFINET Security Guideline

Network Architecture – Security Zones

Trust Concept – within Zones

Perimeter Defence – Firewall/VPN

Provision of Confidentiality and Integrity

Transparent Integration of Firewalls

29

Peter Brown / IT Security for Industrial Automation www.AllThingsPROFINET.com

30


Secure Automation Cells (Zones)

Complete plant security

Secure automation cells

Internet

31


Methods for Network Security

Security issues and vulnerabilities need to be addressed

There are many methods

How can we address these vulnerabilities using these

techniques:

Firewall

Protect against unauthorized access

VLAN (Virtual Local Area Network)

Logical network that operates on the basis of a physical network

DMZ (De-Militarized Zone)

Exchange data with external partners via safe areas

VPN (Virtual Private Network)

Secure tunnel between authenticated users

Functional Safety Industry 4.0

‘to literally have everything imaginable connected to a network so

that information from all these “things” can be stored,

transferred, analysed and acted upon in new, and usually

automated ways via network connections with everything else’.

The hazards and risk aren’t changing

Monitoring of safety actions / events

Analysing of trends (OEMs)

Distributed systems and controls (smaller)

More inter-connected devices

Mechatronics

100% security?

‘Independence’ of functional safety systems

32


33


Questions? 33

Documents

What is Pete Brown Siemens I CS PROFIsafe and work? · PDF file3 Peter Brown / What is PROFIsafe? Profibus DP Standard-Host/PLC F-Gate- way otherTCP/IP Safety- Bus Repeater Standard-I/O